The House of Representatives on Jan. 10 approved a bill that would require individuals to be notified by the Department of Health and Human Services within two days of discovering breaches involving personal information on federally facilitated and state-operated Obamacare health insurance exchanges.

Despite the legislation having some bipartisan support, the White House issued a statement opposing the bill's passage "because it would create unrealistic and costly paperwork requirements that do not improve the safety or security of personally identifiable information in the health insurance marketplaces."

The statement notes: "The indiscriminate reporting requirement may seriously impede the law enforcement investigation of a breach. Unlike existing requirements, H.R. 3811 requires expensive and unnecessary notification for the compromise of publicly available information, even if there is no reasonable risk that information could be used to cause harm."

Under Obamacare, insurers cannot deny health coverage to individuals based on pre-existing health conditions, so HIPAA-protected health data is not collected or exchanged on the insurance marketplace sites, whether they're state-operated or facilitated by the federal government through the HealthCare.gov website. However, other consumer information, including financial-related data, is submitted as part of the application.

"Breaches take time to investigate, and if notification is required within two days, consumers potentially affected are not likely to receive much useful information about the breach," says Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, a consumer advocacy group. "It could even be the case that consumers whose data was not ultimately involved may be unnecessarily notified. Ideally breach notification should contain as many details as are possible to help consumers assess their risks and potentially take mitigating actions," McGraw notes.

"Breaches should always be subject to notification as soon as possible, with an outer time limit to avoid delay," she adds. For example, theHITECH Act, enacted by Congress in 2009, requires notification without unreasonable delay and no later than 60 days after discovery, she notes.

Congressional Scrutiny

The House vote follows a series of Congressional hearings focused on the technical woes and security concerns for the HealthCare.gov website and systems that facilitate the health insurance exchanges of 36 states under the Affordable Care Act (see IT Experts Answer Obamacare Questions).

Many Democrats have charged that the mostly Republican-led scrutiny of HealthCare.gov's security is motivated by the GOP's ongoing desire to see the Affordable Care Act fail.

Drew Hammill, a spokesman for Democratic leader Rep. Nancy Pelosi, D-Calif., said in a Jan. 2 statement, "It is clear that the New Year has brought no change in heart for House Republicans. They continue to remain intent on undermining or repealing the Affordable Care Act at every turn, and that effort even extends to scaring their constituents from obtaining health coverage."

Notification Requirements

HR 3811, the bill that passed the House Jan. 10, states: "Not later than two business days after the discovery of a breach of security of any system maintained by an exchange established under the Affordable Care Act, which is known to have resulted in personally identifiable information of an individual being stolen or unlawfully accessed, the Secretary of the Department of Health and
Human Services shall provide notice of such breach to each such individual" (see House to Vote on Obamacare Security Bills.)

A House vote on another Obamacare security-related bill was delayed. The vote on the Exchange Information Disclosure Act, sponsored by Rep. Lee Terry, R-Neb., has been rescheduled for the week of Jan. 13, says a Terry spokesman. That legislation proposes to amend the Affordable Care Act "to require transparency in the operation of American Health Benefit Exchanges."

Among the security-related provisions of the Terry-sponsored bill is for Congress to receive weekly reports on health insurance exchanges, including enrollment numbers, as well a description of technical problems on the HealthCare.gov site, including those related to consumer privacy and data security.

The focus on the security of HealthCare.gov is just one part of Cantor's larger call for "greater transparency" overall from the Obama administration for the Affordable Care Act, including "disclosure of reliable and complete enrollment data."

About the Author

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;